-
Announcing SecTemplates.com release #6: Security Partner Program Pack v1
I have built several security partner programs at companies such as Box Inc. and Coinbase, with over 8 years of experience leading them. I have consistently observed the benefits of a partner-focused model versus a classical consultancy model within medium to large enterprises. I’m pleased to announce our 6th program pack, the Security Partners Program…
-
Announcing SecTemplates.com release #5: Security Exception Program Pack 1.0
The goal of this release is to provide all the necessary resources to establish and set up a fully functioning security exceptions program at your company. – Robert Auger (@robertauger) In this pack, we cover: Security Exception Definitions: This document describes common terminology used in an exceptions process, outlines definitions for the various stakeholders participating in…
-
Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0
I’m pleased to announce our fourth release, the Vulnerability Management Program Pack. The goal of this release is to provide everything you’d need to establish and setup a fully functioning vulnerability management program at your company. – Robert Auger (@robertauger) In this pack, we cover: Vulnerability Level Definitions: This document outlines vulnerability severity levels to help your…
-
Announcing SecTemplates.com release #3: Bug bounty program pack 1.0
Introduction There are numerous considerations beyond selecting a provider, many of which are often overlooked in public documentation. The goal of the Bug Bounty Program pack is to help people quickly ramp up on the topic, providing them with the necessary information to begin their journey and ultimately launch a program.– Robert Auger (@robertauger) Announcement:https://www.sectemplates.com/2024/07/announcing-the-bug-bounty-program-pack-10.html…
-
Announcing SecTemplates.com release #2: External penetration testing program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the resources for an…
-
Announcing SecTemplates.com and the incident response program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is an announcement about my latest project. IntroductionI’ve worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself recreating or developing security…
-
Presentation: Problems you’ll face when building a software security program
A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec programs at companies…
-
WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven…
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals that wish to…
-
The OWASP AppSec USA 2011 Call for Papers (CFP)
Lorna Alamri writes in the following announcement "The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit thefollowing URL to submit your abstract for the September 22-23, 2011talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company withour first keynote, OWASP founder Mark Curphey, who will…
-
WASC Party at RSA
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon. Take a…
-
New Silicon Valley security conference – BayThreat
A handful of people from silicon valley (myself included) have been discussing the lack of good hacker conference in the bay area (RSA does not count) for some time and decided to meet up during defcon to see what we could do about this. It was concluded that the only logical thing to do, was…
-
Phrack #67 is out for 25th anniversary!
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace The House Of…
-
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response (XSS). At…
-
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I…
-
WASC Web Hacking Incident Database Semi-Annual Report for 2010
Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 – http://projects.webappsec.org/Web-Hacking-Incident-Database-2010-Semi-Annual-Report A…
-
Web Security Dojo v1.0 release
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use non-conflicting ports and…
-
Watcher 1.3.0 passive Web-vulnerability testing tool released
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." – Casabasecurity The full announcement can be found at…
-
2010 SANS Top 25 Most Dangerous Programming Errors Released
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top x lists in…
-
R.I.P. Apache 1.x: Apache 1.3.42 marks of end life
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider this the time…
-
Nikto version 2.1.1 released
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performscomprehensive tests against web servers for multiple items, includingover 6100 potentially dangerous files/CGIs, checks for outdatedversions of over…
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Microsoft’s Enhanced Mitigation Evaluation Toolkit adds protection to processes
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With…
-
OWASP Publishes Transport Layer Protection Cheat Sheet
"This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack